Hardware Based Address Sanitizer for Embedded Systems

Aspects of the present disclosure relate to computing devices, and more specifically to a hardware based address sanitizer (ASAN) for embedded systems.

Mobile or portable computing devices include mobile phones, laptop, palmtop and tablet computers, portable digital assistants (PDAs), portable game consoles, and other portable electronic devices. Mobile computing devices include many electrical components that consume power and generate heat. The components (or compute devices) may include system-on-a-chip (SoC) devices, graphics processing unit (GPU) devices, neural processing unit (NPU) devices, digital signal processors (DSPs), and modems, among others. The components may also include embedded systems, which are a combination of hardware and software components dedicated to a specific task.

Software programming bugs in embedded systems, for example out-of-bounds memory access, may cause software run stability issues, and may also create security vulnerabilities that can be exploited for hacking the embedded systems. An address sanitizer (ASAN) is a software solution designed to catch these bugs at runtime. Memory tagging extension (MTE) is another solution to catch these types of bugs. These solutions, however, come with costs that may not be desirable for embedded systems. These costs may include, but are not limited to, large central processing unit (CPU) loading times, memory overhead, and high hardware specifications. It would be desirable to have a more efficient system to catch out-of-bounds access.

Aspects of the present disclosure are directed to an apparatus. The apparatus has a data memory region comprising multiple data symbols and multiple inaccessible zones, a first inaccessible zone placed before each data symbol and a second inaccessible zone placed after each data symbol. The apparatus also has a shadow memory region corresponding to the data memory region. The shadow memory region includes multiple data elements, each data element corresponding to one of the data symbols or one of the inaccessible zones. Each data element indicates an accessibility state of the corresponding data symbol or inaccessible zone. The apparatus also has an address sanitizer hardware block within a processing core and coupled to the shadow memory region. The address sanitizer hardware block is configured to check a selected data element of the shadow memory region corresponding to a selected data symbol or inaccessible zone being accessed, in order to determine the accessibility state of the selected data symbol or inaccessible zone, prior to accessing the selected data symbol or inaccessible zone.

In aspects of the present disclosure, a method implemented by an address sanitizer hardware block includes checking a selected data element of a shadow memory region corresponding to a selected data symbol or inaccessible zone being accessed. A data memory region comprises multiple data symbols and multiple inaccessible zones. A first inaccessible zone is placed before each data symbol and a second inaccessible zone placed after each data symbol. The shadow memory region corresponds to the data memory region. The shadow memory region includes multiple data elements. Each data element corresponds to one of the data symbols or one of the inaccessible zones. Each data element indicates an accessibility state of the corresponding data symbol or inaccessible zone. The method also includes determining the accessibility state of the selected data symbol or inaccessible zone based on the checking, prior to accessing the selected data symbol or inaccessible zone.

Other aspects of the present disclosure are directed to an apparatus. The apparatus has at least one memory and one or more processors coupled to the at least one memory. The processor(s) is configured to check a selected data element of a shadow memory region (of the at least one memory) corresponding to either a selected data symbol or inaccessible zone being accessed. A data memory region (of the at least one memory) comprises multiple data symbols and multiple inaccessible zones, a first inaccessible zone placed before each data symbol and a second inaccessible zone placed after each data symbol. The shadow memory region corresponds to the data memory region. The shadow memory region includes multiple data elements. Each data element corresponds to one of the data symbols or one of the inaccessible zones. Each data element indicates an accessibility state of the corresponding data symbol or inaccessible zone. The processor(s) is also configured to determine the accessibility state of the selected data symbol or inaccessible zone based on the checking, prior to accessing the selected data symbol or inaccessible zone.

This has outlined, rather broadly, the features and technical advantages of the present disclosure in order that the detailed description that follows may be better understood. Additional features and advantages of the present disclosure will be described below. It should be appreciated by those skilled in the art that this present disclosure may be readily utilized as a basis for modifying or designing other structures for carrying out the same purposes of the present disclosure. It should also be realized by those skilled in the art that such equivalent constructions do not depart from the teachings of the present disclosure as set forth in the appended claims. The novel features, which are believed to be characteristic of the present disclosure, both as to its organization and method of operation, together with further objects and advantages, will be better understood from the following description when considered in connection with the accompanying figures. It is to be expressly understood, however, that each of the figures is provided for the purpose of illustration and description only and is not intended as a definition of the limits of the present disclosure.

The detailed description set forth below, in connection with the appended drawings, is intended as a description of various configurations and is not intended to represent the only configurations in which the concepts described may be practiced. The detailed description includes specific details for the purpose of providing a thorough understanding of the various concepts. It will be apparent, however, to those skilled in the art that these concepts may be practiced without these specific details. In some instances, well-known structures and components are shown in block diagram form in order to avoid obscuring such concepts.

As described, the use of the term “and/or” is intended to represent an “inclusive OR,” and the use of the term “or” is intended to represent an “exclusive OR.” As described, the term “exemplary” used throughout this description means “serving as an example, instance, or illustration,” and should not necessarily be construed as preferred or advantageous over other exemplary configurations. As described, the term “coupled” used throughout this description means “connected, whether directly or indirectly through intervening connections (e.g., a switch), electrical, mechanical, or otherwise,” and is not necessarily limited to physical connections. Additionally, the connections can be such that the objects are permanently connected or releasably connected. The connections can be through switches. As described, the term “proximate” used throughout this description means “adjacent, very near, next to, or close to.” As described, the term “on” used throughout this description means “directly on” in some configurations, and “indirectly on” in other configurations.

Software programming bugs in embedded systems, for example out-of-bounds memory access, may cause software run stability issues, and may also create security vulnerabilities that can be exploited for hacking the embedded systems. An address sanitizer (ASAN) is a software solution designed to catch these bugs at runtime. Memory tagging extension (MTE) is another solution to catch these types of bugs. These solutions, however, come with costs that are not desirable for embedded system in terms of large central processing unit (CPU) loading times, memory overhead, and high hardware specifications. It would be desirable to have a more efficient system to catch out-of-bounds access.

Aspects of the present disclosure introduce an address sanitizer hardware engine/block. The address sanitizer hardware engine includes a shadow memory region reserved to maintain a status of a region of data stored in off-chip memory, such as double data rate (DDR) synchronous dynamic random access memory (SDRAM). According to these aspects, a number (N) of bits in the shadow memory control behavior of a data symbol inside the data region.

The address sanitizer hardware block is part of the data fetching path and data writing path. When a central processing unit (CPU) reads from or writes to a cache line in a data buffer, the ASAN hardware block checks the corresponding shadow memory bits in the shadow memory and confirms the accessibility of the cache line. The address sanitizer hardware block converts physical addresses of the data region to addresses in the shadow memory and then determines a state of the memory for the data region (e.g., cache line) to prevent out-of-bounds accesses. The address sanitizer hardware block generates an exception in case the cache line is marked inaccessible.

Particular aspects of the subject matter described in this disclosure can be implemented to realize one or more of the following potential advantages. In some examples, the described techniques, such as implementing a hardware based address sanitizer block may prevent out-of-bounds access attempts in embedded systems with reduced overhead.

illustrates an example implementation of a host system-on-a-chip (SoC), which includes an address sanitizer hardware engine, in accordance with aspects of the present disclosure. The host SoCincludes processing blocks tailored to specific functions, such as a connectivity block. The connectivity blockmay include fifth generation (5G) connectivity, fourth generation long term evolution (4G LTE) connectivity, Wi-Fi connectivity, universal serial bus (USB) connectivity, Bluetooth® connectivity, Secure Digital (SD) connectivity, and the like.

In this configuration, the host SoCincludes various processing units that support multi-threaded operation. For the configuration shown in, the host SoCincludes a multi-core central processing unit (CPU), a graphics processor unit (GPU), a digital signal processor (DSP), and a neural processor unit (NPU). The host SoCmay also include a sensor processor, image signal processors (ISPs), a navigation module, which may include a global positioning system (GPS), and a memory. The multi-core CPU, the GPU, the DSP, the NPU, and the multi-media enginesupport various functions such as video, audio, graphics, gaming, artificial networks, and the like. Each processor core of the multi-core CPUmay be a reduced instruction set computing (RISC) machine, an advanced RISC machine (ARM), a microprocessor, or some other type of processor. The NPUmay be based on an ARM instruction set.

According to aspects of the present disclosure, a mobile device includes an address sanitizer (ASAN) hardware engine. The address sanitizer hardware engine may include means for checking, means for determining, means for converting, means for generating, and mean for instructing. In one configuration, the checking means, the determining means, the converting means, the generating means, and the instructing means may be the CPU, GPU, DSP, NPU, and/or memoryas shown in. In other aspects, the aforementioned means may be any structure or any material configured to perform the functions recited by the aforementioned means.

Software programming bugs in embedded systems may cause software run stability issues, and may also create security vulnerabilities that can be exploited to hack the embedded systems. These bugs may cause stack and heap buffer overflow and underflow conditions. A stack is a static memory buffer that operates in accordance with a last in first out (LIFO) principle. A heap is a dynamic memory buffer used during runtime of a software program. Software errors, such as heap use after executing a free function and/or a double free function may also raise issues for embedded systems. Similarly, a static buffer overflow may present issues.

These issues cause software runtime instability. Moreover, the bugs cause security vulnerabilities that may be exploited. An address sanitizer (ASAN) is a software solution designed to catch these bugs at runtime. Memory tagging extension (MTE) is another solution to catch these types of bugs. These solutions, however, come with costs that are not embedded system friendly in terms of large central processing unit (CPU) loading times, memory overhead, and high hardware specifications, such as a 64 bit instruction set.

Aspects of the present disclosure introduce an address sanitizer hardware engine. The address sanitizer hardware engine includes a shadow memory region reserved to maintain a status of a region of data stored in off-chip memory, such as double data rate (DDR) synchronous dynamic random access memory (SDRAM). According to these aspects, a number (N) of bits in the shadow memory control behavior of a data symbol inside the data region. The location of the N bits for a cache line inside the data region may be calculated linearly from addresses of the data. That is, a start address of the data is known, and thus, the locations may be calculated based on the start address. Each data symbol may be padded so that the data symbol aligns with boundaries of a cache line.

is a block diagram illustrating a cache line and corresponding shadow memory for an address sanitizer (ASAN) hardware engine, in accordance with various aspects of the present disclosure. In the example of, memory includes a data regionand a region of shadow memory. The memory may be DDR memory, in some implementations. The data regionincludes a data bufferstoring a data symbol and two no access regions,. The no access regions,protect the data buffer, preventing overruns into a next buffer region. In the example of, the data bufferis padded to evenly match a cache line. The alignment may be with the front, end, or both sides of the cache line. A first no access regionhas a size (X) and is inserted before the data symbol in the data buffer. A second no access regionhas a size (Y) and is inserted after the data symbol in the data buffer. The values X and Y are integers and may or may not be equal to one another.

Shadow memory bits,,,,correspond to portions of the data regionand indicate accessibility of the data in the data region. Only some of the shadow memory bits,,,,are labeled infor ease of illustration. A number (N) of the shadow memory bits,,,in the shadow memorycontrol behavior of a data symbol inside the data region. In some implementations, two bits of the shadow memorycorrespond to 64 bytes of the data region, such that the shadow memoryhas a same structure as the data region, but is compressed. By checking the shadow memory, which may be stored on-chip in a shadow cache in some implementations, the data bufferin the DDR need not be checked on every memory access, thereby improving memory access speed. The shadow memorymay be stored in the shadow cache when first reading from the shadow memory.

The shadow memory bitcorresponding to the no access regionand the shadow memory bitcorresponding to the no access regionindicate the no access regions,are not accessible. The shadow memory bits,,corresponding to the data symbol inside the data bufferindicate the data bufferis accessible.

For a static data symbol (e.g., in a memory stack) padding the symbols to the cache line boundary, inserting the no access bytes, and marking the shadow memory is performed by a compiler at compilation time. For dynamically allocated memory (e.g., a heap buffer), a heap library pads the symbols to the cache line boundary, inserts the no access bytes, and marks the shadow memory.

is a block diagram illustrating an address sanitizer (ASAN) hardware (HW) block in a data access path, according to various aspects of the present disclosure. In the example of, a central processing unit (CPU)accesses a memory(e.g., DDR memory) via an address sanitizer hardware block. The address sanitizer hardware blockis part of the data fetching path and data writing path. When the CPUreads from or writes to a cache line, the ASAN hardware blockchecks the corresponding shadow memory bits and confirms the accessibility of this cache line. The address sanitizer hardware blockconverts physical addresses of the data region to addresses in the shadow memory, and then determines a state of the memory for the data region (e.g., cache line) to catch out-of-bounds accesses. The address sanitizer hardware blockgenerates an exception in case the cache line is marked inaccessible. The address sanitizer hardware blockmay perform the check asynchronously to avoid blocking the data read or write process. In some aspects, the check may be implemented as a best effort so that requests to check accessibility can be dropped when system load is too heavy. The ASAN hardware blockprovides a programmable interface allowing software to change the state of the no access regions to accessible or inaccessible, as appropriate. For example, a heap library can program the shadow memory corresponding to the no access regions around an allocated block during heap allocate and free operations.

The number (N) of bits corresponding to each cache line can be configured. In some implementations, one bit marks the corresponding cache line as accessible or not accessible. Additional bits may be configured in other implementations. For example, another bit may indicate whether a cache line has ever been accessed. This option helps to profile whether all cache lines in the system are effectively used, so memory usage may be optimized.

The ASAN hardware block may support multiple shadow regions to cover multiple data regions. The ASAN hardware block may be configured differently for each region.

The proposed solution reduces overhead on embedded systems compared to a pure software implementation. From a memory perspective, the overhead comes from the shadow memory, where N bits are allocated for each cache line. With this solution, the overhead is calculated by N bits*X MB/cache line size, which is relatively small for an embedded system. The overhead of accessibility checking occurs in hardware asynchronously and has low impact on system performance, which is often critical to embedded systems.

is a block diagram illustrating an address sanitizer (ASAN) hardware engine and micro-architecture, in accordance with various aspects of the present disclosure. In the example of, a memory(e.g., the DDR memoryof) includes a reserved data regionand a region of shadow memory. A tag of N bits in the shadow memorymarks the accessibility of one cache line (e.g., 64 bytes) in the reserved data region. The reserved data regionhas a physical address (PA) range A, and the shadow memoryhas a physical address range B.

A CPU(e.g., the CPUof) includes a processor core, a level 2 (L2) cache, and an ASAN hardware engine(e.g., the address sanitizer hardware blockof). A shadow cachemay also be included. When the L2 cacheallocates or evicts a data cache line, the L2 cachesends a request to the ASAN hardware engineto check the accessibility of the cache line, including the physical address of the data to be checked. The ASAN hardware enginemay skip the check if the check would interfere with operations of the embedded device.

The ASAN hardware engineloads the shadow cache line corresponding to the data cache line address into the shadow cacheand checks the N bits tag. Example bits for a 2-bit tag may be 00 for a valid un-accessed data region, 01 for a valid read from data region, 10 for a valid written-to data region, and 11 for an invalid data region. The ASAN hardware enginegenerates an exception if the tag indicates the data cache line being accessed is inaccessible. The processor coremay change the shadow memoryto mark physical addresses of the data cache line as accessible or inaccessible (e.g., valid/invalid) in accordance with changes to the reserved data region, as described with respect to.

is a block diagram illustrating a cache line and corresponding shadow memory for an address sanitizer hardware engine for static symbols, in accordance with various aspects of the present disclosure. In the example of, memory is allocated for a data regionand a region of shadow memory. The memory may be DDR memory, in some implementations. The data regionincludes data buffers,storing data symbols. The data regionalso includes no access regions,,. The no access regions,,protect the data buffers,, preventing overruns into a next buffer region. In the example of, the data buffers,are padded to evenly match cache lines.

Shadow memory bits,,,,correspond to portions of the data regionand indicate accessibility of the data in the data buffers,. Only some of the shadow memory bits,,,,are labeled infor ease of illustration.

A compiler aligns the data symbols at cache line boundaries and inserts padding cache lines between the symbols. The compiler initializes the shadow memoryand marks shadow memory bits,,corresponding to the cache lines in the data buffers,as accessible and the shadow memory bits,corresponding to the no access regions,,as inaccessible (the shadow memory bits corresponding to the data bufferand the no access regionare not shown).

is a block diagram illustrating a cache line and corresponding shadow memory for an address sanitizer hardware engine for heap applications, in accordance with various aspects of the present disclosure. As shown in, memory is allocated for a heap regionand a region of shadow memory. In the example of, for heap memory overrun protection, a heap library allocates blockof the heap regionand appends no access regions (e.g., padding cache lines),at the beginning and end of block. The heap library marks the corresponding shadow memory bits,for the no access regions,as inaccessible. In order to protect a memory segment (e.g., block) after freeing the memory segment, the heap library frees blockand marks the corresponding shadow memory bits,,for cache lines in blockas inaccessible. Thus, error conditions caused by later accessing the freed memory segment (e.g., block) are prevented.

is a flow diagram illustrating an example processperformed, for example, by a mobile device, in accordance with various aspects of the present disclosure. The example processis an example of address sanitizer hardware block operations. As shown in, in some aspects, the processmay include checking a selected data element of a shadow memory region corresponding to either a selected data symbol or inaccessible zone being accessed. A data memory region comprises multiple data symbols and multiple inaccessible zones, a first inaccessible zone placed before each data symbol and a second inaccessible zone placed after each data symbol. The shadow memory region corresponds to the data memory region. The shadow memory region includes multiple data elements. Each data element corresponds to one of the data symbols or one of the inaccessible zones. Each data element indicates an accessibility state of the corresponding data symbol or inaccessible zone (block). In some aspects, the shadow memory resides in cache memory of the processing core. Each of the data symbols may corresponds to a data cache line.

In some aspects, the process may include determining the accessibility state of the selected data symbol or inaccessible zone based on the checking, prior to accessing the selected data symbol or inaccessible zone (block). The address sanitizer hardware block may be configured to generate an exception in response to determining the accessibility state indicates inaccessibility. The processing core may be configured to instruct the address sanitizer hardware block to update the accessibility state of the selected data symbol in response to the data memory region being dynamic memory.

is a block diagram showing an exemplary wireless communications system, in which an aspect of the present disclosure may be advantageously employed. For purposes of illustration,shows three remote units,, and, and two base stations. It will be recognized that wireless communications systems may have many more remote units and base stations. Remote units,, andinclude integrated circuit (IC) devicesA,B, andC that include the disclosed hardware based address sanitizer (ASAN) engine. It will be recognized that other devices may also include the disclosed hardware based ASAN engine, such as the base stations, switching devices, and network equipment.shows forward link signalsfrom the base stationsto the remote units,, and, and reverse link signalsfrom the remote units,, andto the base stations.

In, remote unitis shown as a mobile telephone, remote unitis shown as a portable computer, and remote unitis shown as a fixed location remote unit in a wireless local loop system. For example, the remote units may be a mobile phone, a hand-held personal communication systems (PCS) unit, a portable data unit, such as a personal data assistant, a GPS enabled device, a navigation device, a set top box, a music player, a video player, an entertainment unit, a fixed location data unit, such as meter reading equipment, or other device that stores or retrieves data or computer instructions, or combinations thereof. Althoughillustrates remote units according to the aspects of the present disclosure, the disclosure is not limited to these exemplary illustrated units. Aspects of the present disclosure may be suitably employed in many devices, which include the disclosed hardware based ASAN engine.

is a block diagram illustrating a design workstationused for circuit, layout, and logic design of a semiconductor component, such as the hardware based ASAN engine disclosed above. The design workstationincludes a hard diskcontaining operating system software, support files, and design software such as Cadence or OrCAD. The design workstationalso includes a displayto facilitate design of a circuitor a semiconductor component, such as the hardware based ASAN engine. A storage mediumis provided for tangibly storing the design of the circuitor the semiconductor component(e.g., the PLD). The design of the circuitor the semiconductor componentmay be stored on the storage mediumin a file format such as GDSII or GERBER. The storage mediummay be a CD-ROM, DVD, hard disk, flash memory, or other appropriate device. Furthermore, the design workstationincludes a drive apparatusfor accepting input from or writing output to the storage medium.

Data recorded on the storage mediummay specify logic circuit configurations, pattern data for photolithography masks, or mask pattern data for serial write tools such as electron beam lithography. The data may further include logic verification data such as timing diagrams or net circuits associated with logic simulations. Providing data on the storage mediumfacilitates the design of the circuitor the semiconductor componentby decreasing the number of processes for designing semiconductor wafers.

Aspect 1: An apparatus, comprising: a data memory region comprising a plurality of data symbols and a plurality of inaccessible zones, a first inaccessible zone placed before each of the plurality of data symbols and a second inaccessible zone placed after each of the plurality of data symbols; a shadow memory region corresponding to the data memory region, the shadow memory region including a plurality of data elements, each data element corresponding to one of the plurality of data symbols or one of the plurality of inaccessible zones, each data element indicating an accessibility state of a corresponding data symbol or inaccessible zone; and an address sanitizer hardware block within a processing core and coupled to the shadow memory region, the address sanitizer hardware block configured to check a selected data element of the shadow memory region corresponding to a selected data symbol or inaccessible zone being accessed, in order to determine the accessibility state of the selected data symbol or inaccessible zone, prior to accessing the selected data symbol or inaccessible zone.

Aspect 2: The apparatus of Aspect 1, in which the address sanitizer hardware block is further configured to convert a physical address of the selected data symbol or inaccessible zone into an index into the shadow memory region to fetch the selected data element in the shadow memory region.

Aspect 3: The apparatus of Aspect 1 or 2, in which the shadow memory resides in cache memory of the processing core.

Aspect 4: The apparatus of any of the preceding Aspects, in which each of the plurality of data symbols corresponds to a data cache line.

Aspect 5: The apparatus of any of the preceding Aspects, further comprising a level 2 (L2) cache configured to communicate with the address sanitizer hardware block in response to allocating the data cache line or evicting the data cache line, in order to determine the accessibility state of the data cache line.

Aspect 6: The apparatus of any of the preceding Aspects, in which the address sanitizer hardware block is configured to generate an exception in response to determining the accessibility state indicates inaccessibility.

Aspect 7: The apparatus of any of the preceding Aspects, in which the processing core is configured to instruct the address sanitizer hardware block to update the accessibility state of the selected data symbol in response to the data memory region comprising dynamic memory.

Aspect 8: A method implemented by an address sanitizer hardware block, comprising: checking a selected data element of a shadow memory region corresponding to a selected data symbol or inaccessible zone being accessed, a data memory region comprising a plurality of data symbols and a plurality of inaccessible zones, a first inaccessible zone placed before each of the plurality of data symbols and a second inaccessible zone placed after each of the plurality of data symbols, the shadow memory region corresponding to the data memory region, the shadow memory region including a plurality of data elements, each data element corresponding to one of the plurality of data symbols or one of the plurality of inaccessible zones, each data element indicating an accessibility state of a corresponding data symbol or inaccessible zone; and determining the accessibility state of the selected data symbol or inaccessible zone based on the checking, prior to accessing the selected data symbol or inaccessible zone.

Aspect 9: The method of Aspect 8, further comprising converting a physical address of the selected data symbol or inaccessible zone into an index into the shadow memory region to fetch the selected data element in the shadow memory region.

Aspect 10: The method of Aspect 8 or 9, in which the shadow memory resides in cache memory of a processing core.